HP-UX 11i v3 Installation and Update Guide, September 2007 (Update 1 Release)
Security Considerations
HP-UX Bastille (HPUXBastille) is included as recommended software on the
Operating Environment media and can be installed and run with Ignite-UX or
Update-UX, (see “Predefined Security Levels” (page 41)).
HP-UX Bastille is a security hardening and lockdown tool that can be used to enhance
security of the HP-UX operating system. It provides customized lockdown on a
system-by-system basis by encoding functionality similar to Bastion Host and other
hardening and lockdown checklists.
NOTE: For more information about HP-UX Bastille, refer to the HP-UX 11i v3 Release
Notes and the HP-UX System Administrator's Guide.
Predefined Security Levels
At cold-install or update-time, you can choose one of the security levels listed in
Table 3-2, with each one providing incrementally higher security.
Table 3-2 Predefined Security Configuration
DescriptionConfiguration File
Name
1
Security Level
The install-time security infrastructure; no security changes.Not applicable
Sec00Tools
2
Host-based lockdown: firewall pre-enablement; some common
clear-text services turned off, excluding Telnet and FTP.
HOST.configSec10Host
3
Lockdown while allowing secure management: IPFilter firewall
blocks incoming connections except common, relatively safe,
management protocols.
MANDMZ.configSec20MngDMZ
3
Network-DMZ Lockdown: IPFilter blocks all incoming
connections except HP-UX Secure Shell.
DMZ.configSec30DMZ
3
1
Configuration files are installed to /etc/opt/sec_mgmt/bastille/configs/defaults
2
Sec00Tools is installed by default.
3
Sec10Host, Sec20MngDMZ, and Sec30DMZ are selectable.
NOTE: When you select either the Sec30DMZ, or MngDMZ security level, IPFilter will
restrict inbound network connections. For more information on how to add inbound
ports to your /etc/opt/ipf.customerrules file, refer to the HP-UX IPFilter (Version
A.03.05.09 and later) Administrator's Guide and the HP-UX System Administrator's Guide.
Security Considerations 41